Title: Authz Renaissance: Why now?

https://gluu.co/wallarm-24

Topic

Controlling access to API endpoints is critical for business success. In the past 5 years, there has been a plethora of new authorization solutions. Is it finally time to externalize policies, i.e. to remove them from API code and Gateways? Fine Grain? Course Grain? What's a developer to do?

Audience Questions:

• How many externalize policy management?
• How many of you have multiple IDPs for workforce identity? Multiple IDPs for Consumer identity?
• How many of you have to show auditors code in order to comply with a security audit of policies?
• How many of you leverage SBOMs?
• Have you noticed that there are a lot of new authz companies out there?

Assumptions

• Person authn happened
• Client authn happened
  • Client has previously registered and obtained a client_id
  • Client has obtained a JWT access token, optionally on behalf of a person
  • Client authn can happen via either:
    • shared secret
    • MTLS/SPIFFIE
    • Private key JWT

Course Grain v. Fine Grain?

• Course Grain?
  • Filter requests, e.g. allow POST to URL-x if OAuth access token scope values contain "write"
• Fine Grain?
  • Should the drop down be greyed out?

Authz Decision Tree

3 Interesting Open Source PDPs

• OPA - Open Policy Agent

  • Pros: Rego programming langugage can express any policy!
  • Cons: High bar for developers to learn new programming lanaguage

• OpenFGA

  • Pros: Relationship based
  • Cons: Relationship based

• Cedar, e.g. Amazon Verified Permissions

  • Deterministic
  • Not as flexible (but more expressive then RBAC!)

• Honorable mention: Alpha, Topaz, Cerbos, OSO, OPAL

Read Also

• IDPro Authz Taxonomy
• Identerati Office Hours Episode 4: Authz Renaissance: Why now?
• Follow on Linkedin for more great events: Identerati Office Hours
• Check out Gluu